In the last 48 hours, age became a hot topic on Facebook, thanks to Microsoft How-Old.net free age-guessing online tool. It proves age is still a contentious topic, regardless gender, race and obviously age. A marvellous marketing gimmick!

As it always happens, once a story caught fire, a few risk aversive or investigating minds start to dig deeper and uncover an inconvenient truth — the terms of this service authorise Microsoft to use user photos more than just age-guessing. Exactly what are the future uses are unknown!

Working in cloud computing and outsourcing for the last 5 years, it is not unusual to see such user terms and conditions. Most of them are crafted in a way that almost all risks are excluded from the service provider liability. The legal counsels are paid to read all reported and unreported court cases and protect company like Microsoft in this case.

The basic assumptions of data privacy protection is in question here and this case offered a chance to review it.

Consent from user is enough?

For How-Old.net, clearly the intention of user uploading the photo is to find out the age and gender. User don’t expect it to tell if you have diabetes or your sexualities (it maybe possible with enough data points !). However, the service provider terms open to possibility of others uses of the photo, without specifying what it will be. Service providers are giving themselves some elbow room for future innovations. This is actually a typical way how commercial terms response to data privacy legislations.

Most data privacy law requires informed and specific uses of personal data. The rationale is as long as users consent with the uses of PII, there is NO violation of data privacy law. However, we have seen software or web services terms tries to include extensive scope of uses and sometimes non-restrictive uses. Users are either lured to give consent or just ignore the terms completely. User gives consents rather spontaneously !

For those like to read the legal terms , extracted here.

However, by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services.

Lawyers say never to sign (or click on) anything without reading it first, but that rule typically goes out the window when it comes to complex-yet-boring end user licensing agreements (EULAs) and other software licenses.

As John Oliver said in his epic net neutrality screed: “If you want to do something evil, put it inside something boring. Apple could put the entire text of Mein Kampf inside the iTunes user agreement and you’d just go: Agree. Agree. Agree.”

That read-before-clicking mantra holds true for license agreements from cloud providers as well. For example, I would bet that when many startups — which often don’t have legal departments — sign on for Amazon Web Services, they don’t check out all the verbiage fully. And they should.

In particular, there is a provision in the AWS customer agreement that they really should scrutinize. The contract’s Section 8.5 on license restrictions includes the usual restrictions…

As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!

When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors. Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.

2015 Cyber Security Predictions

Healthcare will see a substantial increase of data stealing attack campaigns

Exploit mitigations reduce the number of useful vulnerabilities

Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware.

More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.

Attacks on the Internet of Things will focus on business use cases, not consumer products

Internet of Things attacks move from proof-of-concept to mainstream risks

Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts.

There will be bolder hacking attempts as cyber activity increases.

Credit card thieves will morph into information dealers

Encryption becomes standard, but not everyone is happy about it

Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency.

An exploit kit that specifically targets Android users will surface.

Authentication consolidation on the phone will trigger data-specific exploits, but not for stealing data on the phone

More major flaws in widely-used software that had escaped notice by the security industry over the past 15 years

As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms.

Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards.

Bugs in open source apps will continue to be exploited.

Email threats will take on a new level of sophistication and evasiveness

Attackers increase focus on mobile payment systems, but stick more to traditional payment fraud for a while

Lack of adequate response could result in a major brand going out of business

New mobile payment methods will introduce new threats.

As companies increase access to cloud and social media tools, command and control instructions will increasingly be hosted on legitimate sites

From a security and risk management point of view, a central or using the author’s words “the powers that have traditionally controlled those transactions” provides assurance on quality of service, security and privacy protections. However, with new technologies most of this assurance features could be delivered by software.